185807 2018-05-20 13:49:20 -0700 REGRESSION (r231107): Test http/tests/quicklook/same-origin-xmlhttprequest-allowed.html logs CSP failure 2018-06-01 12:22:41 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Local Build iPhone / iPad iOS 11 REOPENED https://bugs.webkit.org/show_bug.cgi?id=186165 https://bugs.webkit.org/show_bug.cgi?id=186202 InRadar, Regression P1 Normal --- 184741 1 dbates youennf aestes cdumez ews-watchlist japhet lforschler webkit-bug-importer youennf oldest_to_newest 1425525 0 dbates 2018-05-20 13:49:20 -0700 Before changeset <https://trac.webkit.org/changeset/231107/> (bug #184741) the expected result for test http/tests/quicklook/same-origin-xmlhttprequest-allowed.html was: [[ CONSOLE MESSAGE: line 1: PASS: XMLHttpRequest allowed -------- Frame: '<!--framePath //<!--frame0-->-->' -------- Run test ]] <https://trac.webkit.org/browser/webkit/trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed-expected.txt?rev=214189&format=txt> After changeset r231107 the result of this test changed (and unfortunately these new results were committed): [[ CONSOLE MESSAGE: Blocked by Content Security Policy CONSOLE MESSAGE: XMLHttpRequest cannot load about: due to access control checks. CONSOLE MESSAGE: line 1: PASS: XMLHttpRequest allowed -------- Frame: '<!--framePath //<!--frame0-->-->' -------- Run test ]] <https://trac.webkit.org/browser/webkit/trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed-expected.txt?rev=231107&format=txt> 1425527 1 webkit-bug-importer 2018-05-20 13:54:20 -0700 <rdar://problem/40402483> 1428431 2 youennf 2018-05-30 08:23:15 -0700 The test is trying to load a quick look URL using XHR. In that particular case, ResourceLoader::willSendRequestInternal will call previewConverter->safeRequest. The request URL is then updated and becomes "about:". Before moving the checks to NetworkProcess, DocumentThreadableLoader was not doing any further check since the request URL was the quick look URL and not "about:", thus the request is considered same-origin. Now that checks are done in NetworkProcess, "about:" is used for the checks. For this particular quick look + "about:" URL, it is easy to fix it in WebLoaderStrategy by disabling network checks in that particular case. The same issue might arise if an injected bundle decides to change the request URL on the fly. 1428485 3 341580 youennf 2018-05-30 10:25:03 -0700 Created attachment 341580 Special casing quick look 1428527 4 youennf 2018-05-30 11:56:15 -0700 Uploaded a patch that is fixing iOS-sim to the previous behavior for the given test. Except if we end up in big compatibility issues, I am not sure we should actually try to solve the issue where some layer (quick look, injected bundles) below our previous security checks are changing the request (URL or headers). 1429027 5 youennf 2018-05-31 15:38:46 -0700 I talked with andy about it. The URL is converted from a quicklook URL to about: because it is not pointing to a valid resource. It is fine to keep the current behavior for now and make the load fails. That said, we are no longer checking that CORS checks are passing in Network Process in case of a valid quick look URL. We should add a test for that case. I will file a separate bug entry for this particular issue and mark this one as WontFix. 1429308 6 dbates 2018-06-01 12:08:58 -0700 Re-opening this bug to update the test to actually check if the load was allowed or blocked and add a FIXME comment to determine a valid QuickLook attachment URL to use when making the XHR request. Currently the test considers XHR completion regardless of error as success. 1429313 7 dbates 2018-06-01 12:22:17 -0700 The test <https://trac.webkit.org/browser/webkit/trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed.html> does not seem materially consistent with example given in <rdar://problem/29898214>. We need a document Q_i that when QuickLook converted has a non-empty sub-QuickLook attachment Q_i_0. Then we should modify same-origin-xmlhttprequest-allowed.html to fetch Q_i_o via XHR and ensure it loaded the contents of Q_i_0. 341580 2018-05-30 10:25:03 -0700 2018-05-30 10:25:03 -0700 Special casing quick look bug-185807-20180530102503.patch text/plain 5182 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjMyMjYzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOTYwMjQwYWJjMTRlZmQy YTI0ZThmYTEwZDM1YTFjZmMxZDk3YTY0Ny4uMmNmNjJlMmFkZGJlNWJiNDBhYWZiYmMwNTBiNTcx MjQyZmZlN2FiYSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE4LTA1LTMwICBZb3Vl bm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjMx MTA3KTogVGVzdCBodHRwL3Rlc3RzL3F1aWNrbG9vay9zYW1lLW9yaWdpbi14bWxodHRwcmVxdWVz dC1hbGxvd2VkLmh0bWwgbG9ncyBDU1AgZmFpbHVyZQorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg1ODA3CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS80 MDQwMjQ4Mz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBDb3ZlcmVkIGJ5IHJlYmFzZWQgdGVzdC4KKworICAgICAgICAqIGxvYWRlci9TdWJyZXNvdXJj ZUxvYWRlci5oOgorCiAyMDE4LTA1LTI5ICBZb3Vlbm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNv bT4KIAogICAgICAgICBSZW5hbWUgRnJvbU9yaWdpbiBydW50aW1lIGZsYWcgdG8gQ3Jvc3NPcmln aW5SZXNvdXJjZVBvbGljeSBhbmQgZW5hYmxlIGl0IGJ5IGRlZmF1bHQKZGlmZiAtLWdpdCBhL1Nv dXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFuZ2VMb2cKaW5kZXggMTg1 MDA2NjU5MTQxYWM3NDZjMzNiNGE0MGVlMDEyODZmNzI1NGZiOC4uZTY1ZjJjODAzN2YzMjA3ZDM5 ZDVhZTJiZjdkMjRkOGVkYTVkYjFjZCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdC9DaGFuZ2VM b2cKKysrIGIvU291cmNlL1dlYktpdC9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxOCBAQAorMjAxOC0w NS0zMCAgWW91ZW5uIEZhYmxldCAgPHlvdWVubkBhcHBsZS5jb20+CisKKyAgICAgICAgUkVHUkVT U0lPTiAocjIzMTEwNyk6IFRlc3QgaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1s aHR0cHJlcXVlc3QtYWxsb3dlZC5odG1sIGxvZ3MgQ1NQIGZhaWx1cmUKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE4NTgwNworICAgICAgICA8cmRhcjov L3Byb2JsZW0vNDA0MDI0ODM+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgQWRkIGEgc3BlY2lhbCBjYXNlIGZvciBxdWljayBsb29rIGxvYWRzIHRoYXQg YXJlIGNvbnZlcnRlZCB0byBhYm91dDogVVJMLgorICAgICAgICBUaGlzIGRpc2FibGVzIHNlY3Vy aXR5IGNoZWNrcyBmb3IgdGhpcyBsb2FkLCB3aGljaCBpcyBvayBzaW5jZSBhYm91dDogVVJMCisg ICAgICAgIGRvZXMgbm90IGNvbnRhaW4gYW55IGluZm9ybWF0aW9uLgorCisgICAgICAgICogV2Vi UHJvY2Vzcy9OZXR3b3JrL1dlYkxvYWRlclN0cmF0ZWd5LmNwcDoKKyAgICAgICAgKFdlYktpdDo6 V2ViTG9hZGVyU3RyYXRlZ3k6OnNjaGVkdWxlTG9hZEZyb21OZXR3b3JrUHJvY2Vzcyk6CisKIDIw MTgtMDUtMjkgIFlvdWVubiBGYWJsZXQgIDx5b3Vlbm5AYXBwbGUuY29tPgogCiAgICAgICAgIFJl bmFtZSBGcm9tT3JpZ2luIHJ1bnRpbWUgZmxhZyB0byBDcm9zc09yaWdpblJlc291cmNlUG9saWN5 IGFuZCBlbmFibGUgaXQgYnkgZGVmYXVsdApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvbG9h ZGVyL1N1YnJlc291cmNlTG9hZGVyLmggYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvU3VicmVzb3Vy Y2VMb2FkZXIuaAppbmRleCBjNjczODE4ZTA0MWM4NmI4YWEyNWFjNzliYjk4ZDUxNWVhNDYxZDM5 Li45YWE3MTU2ODE5Njk1MmY3MWYwMzcxZTM3MzQyMGQ3Mzk2ZGVlMzgzIDEwMDY0NAotLS0gYS9T b3VyY2UvV2ViQ29yZS9sb2FkZXIvU3VicmVzb3VyY2VMb2FkZXIuaAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9sb2FkZXIvU3VicmVzb3VyY2VMb2FkZXIuaApAQCAtNDksNyArNDksNyBAQCBwdWJsaWM6 CiAKICAgICB2b2lkIGNhbmNlbElmTm90RmluaXNoaW5nKCk7CiAgICAgYm9vbCBpc1N1YnJlc291 cmNlTG9hZGVyKCkgY29uc3Qgb3ZlcnJpZGU7Ci0gICAgQ2FjaGVkUmVzb3VyY2UqIGNhY2hlZFJl c291cmNlKCk7CisgICAgV0VCQ09SRV9FWFBPUlQgQ2FjaGVkUmVzb3VyY2UqIGNhY2hlZFJlc291 cmNlKCk7CiAgICAgV0VCQ09SRV9FWFBPUlQgY29uc3QgSFRUUEhlYWRlck1hcCogb3JpZ2luYWxI ZWFkZXJzKCkgY29uc3Q7CiAKICAgICBTZWN1cml0eU9yaWdpbiogb3JpZ2luKCkgeyByZXR1cm4g bV9vcmlnaW4uZ2V0KCk7IH0KZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvV2ViUHJvY2Vzcy9O ZXR3b3JrL1dlYkxvYWRlclN0cmF0ZWd5LmNwcCBiL1NvdXJjZS9XZWJLaXQvV2ViUHJvY2Vzcy9O ZXR3b3JrL1dlYkxvYWRlclN0cmF0ZWd5LmNwcAppbmRleCAwOTdiOGJiZDNlY2Y0NTUxZjY3MWVi M2E4NDdlYmYzZTkyMGUwZWE2Li4wODYxYTczN2I1MjRmOTA2ODk3MjBlMzVkYTA4NzYzOWZjZGUw OTA0IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0L1dlYlByb2Nlc3MvTmV0d29yay9XZWJMb2Fk ZXJTdHJhdGVneS5jcHAKKysrIGIvU291cmNlL1dlYktpdC9XZWJQcm9jZXNzL05ldHdvcmsvV2Vi TG9hZGVyU3RyYXRlZ3kuY3BwCkBAIC0zMjUsNiArMzI1LDExIEBAIHZvaWQgV2ViTG9hZGVyU3Ry YXRlZ3k6OnNjaGVkdWxlTG9hZEZyb21OZXR3b3JrUHJvY2VzcyhSZXNvdXJjZUxvYWRlciYgcmVz b3VyY2VMCiAKICAgICBsb2FkUGFyYW1ldGVycy5zaG91bGRSZXN0cmljdEhUVFBSZXNwb25zZUFj Y2VzcyA9IHNob3VsZFBlcmZvcm1TZWN1cml0eUNoZWNrcygpOwogCisjaWYgVVNFKFFVSUNLX0xP T0spCisgICAgaWYgKGxvYWRQYXJhbWV0ZXJzLnNob3VsZFJlc3RyaWN0SFRUUFJlc3BvbnNlQWNj ZXNzICYmIHJlc291cmNlTG9hZGVyLmlzU3VicmVzb3VyY2VMb2FkZXIoKSkKKyAgICAgICAgbG9h ZFBhcmFtZXRlcnMuc2hvdWxkUmVzdHJpY3RIVFRQUmVzcG9uc2VBY2Nlc3MgPSAhaXNRdWlja0xv b2tQcmV2aWV3VVJMKHN0YXRpY19jYXN0PFN1YnJlc291cmNlTG9hZGVyJj4ocmVzb3VyY2VMb2Fk ZXIpLmNhY2hlZFJlc291cmNlKCktPnJlc291cmNlUmVxdWVzdCgpLnVybCgpKSB8fCAhcmVxdWVz dC51cmwoKS5wcm90b2NvbElzKCJhYm91dCIpOworI2VuZGlmCisKICAgICBsb2FkUGFyYW1ldGVy cy5pc01haW5GcmFtZU5hdmlnYXRpb24gPSByZXNvdXJjZUxvYWRlci5mcmFtZSgpICYmIHJlc291 cmNlTG9hZGVyLmZyYW1lKCktPmlzTWFpbkZyYW1lKCkgJiYgcmVzb3VyY2VMb2FkZXIub3B0aW9u cygpLm1vZGUgPT0gRmV0Y2hPcHRpb25zOjpNb2RlOjpOYXZpZ2F0ZTsKIAogICAgIGxvYWRQYXJh bWV0ZXJzLnNob3VsZEVuYWJsZUNyb3NzT3JpZ2luUmVzb3VyY2VQb2xpY3kgPSBSdW50aW1lRW5h YmxlZEZlYXR1cmVzOjpzaGFyZWRGZWF0dXJlcygpLmNyb3NzT3JpZ2luUmVzb3VyY2VQb2xpY3lF bmFibGVkKCkgJiYgIWxvYWRQYXJhbWV0ZXJzLmlzTWFpbkZyYW1lTmF2aWdhdGlvbjsKZGlmZiAt LWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRl eCBkYTM5MTIwOWNiODQxNzc3MGZkYzQyM2EyZTBmNWE2NTYxNWNjN2Y4Li45YTlmYzQxNDM4YWY2 N2ZkNDc1Y2RlZjFiMzhhMWNmNzMwZTRjMWRkIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFu Z2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTgt MDUtMzAgIFlvdWVubiBGYWJsZXQgIDx5b3Vlbm5AYXBwbGUuY29tPgorCisgICAgICAgIFJFR1JF U1NJT04gKHIyMzExMDcpOiBUZXN0IGh0dHAvdGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXht bGh0dHByZXF1ZXN0LWFsbG93ZWQuaHRtbCBsb2dzIENTUCBmYWlsdXJlCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODU4MDcKKyAgICAgICAgPHJkYXI6 Ly9wcm9ibGVtLzQwNDAyNDgzPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgICogaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1saHR0cHJl cXVlc3QtYWxsb3dlZC1leHBlY3RlZC50eHQ6CisKIDIwMTgtMDUtMjkgIFlvdWVubiBGYWJsZXQg IDx5b3Vlbm5AYXBwbGUuY29tPgogCiAgICAgICAgIFJlbmFtZSBDcm9zc09yaWdpblJlc291cmNl UG9saWN5IHNhbWUgdG8gc2FtZS1vcmlnaW4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAv dGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1ZXN0LWFsbG93ZWQtZXhwZWN0 ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1s aHR0cHJlcXVlc3QtYWxsb3dlZC1leHBlY3RlZC50eHQKaW5kZXggZWFkMWJjZDIyMWEwYmQ2NWM2 NTcxZDk2NDU1Y2JlYmM2MWZjM2MwYi4uZjgwMWRhZDhhZWNjMjc4MWVmYzYxYjc0NTc3MDA0NzAz ZTk2YThiMyAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svc2Ft ZS1vcmlnaW4teG1saHR0cHJlcXVlc3QtYWxsb3dlZC1leHBlY3RlZC50eHQKKysrIGIvTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1saHR0cHJlcXVlc3QtYWxs b3dlZC1leHBlY3RlZC50eHQKQEAgLTEsNiArMSwzIEBACi1DT05TT0xFIE1FU1NBR0U6IFJlZnVz ZWQgdG8gY29ubmVjdCB0byBhYm91dDogYmVjYXVzZSBpdCBhcHBlYXJzIGluIG5laXRoZXIgdGhl IGNvbm5lY3Qtc3JjIGRpcmVjdGl2ZSBub3IgdGhlIGRlZmF1bHQtc3JjIGRpcmVjdGl2ZSBvZiB0 aGUgQ29udGVudCBTZWN1cml0eSBQb2xpY3kuCi1DT05TT0xFIE1FU1NBR0U6IEJsb2NrZWQgYnkg Q29udGVudCBTZWN1cml0eSBQb2xpY3kuCi1DT05TT0xFIE1FU1NBR0U6IFhNTEh0dHBSZXF1ZXN0 IGNhbm5vdCBsb2FkIGFib3V0OiBkdWUgdG8gYWNjZXNzIGNvbnRyb2wgY2hlY2tzLgogQ09OU09M RSBNRVNTQUdFOiBsaW5lIDE6IFBBU1M6IFhNTEh0dHBSZXF1ZXN0IGFsbG93ZWQKIAogCg==